|
1317.1.5
by Monty Taylor
Added Authorization interface. |
1 |
/* -*- mode: c++; c-basic-offset: 2; indent-tabs-mode: nil; -*-
|
2 |
* vim:expandtab:shiftwidth=2:tabstop=2:smarttab:
|
|
3 |
*
|
|
4 |
* Copyright (C) 2010 Monty Taylor
|
|
5 |
*
|
|
6 |
* This program is free software; you can redistribute it and/or modify
|
|
7 |
* it under the terms of the GNU General Public License as published by
|
|
8 |
* the Free Software Foundation; either version 2 of the License, or
|
|
9 |
* (at your option) any later version.
|
|
10 |
*
|
|
11 |
* This program is distributed in the hope that it will be useful,
|
|
12 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
13 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
14 |
* GNU General Public License for more details.
|
|
15 |
*
|
|
16 |
* You should have received a copy of the GNU General Public License
|
|
17 |
* along with this program; if not, write to the Free Software
|
|
18 |
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
19 |
*/
|
|
20 |
||
|
2173.2.1
by Monty Taylor
Fixes incorrect usage of include |
21 |
#include <config.h> |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
22 |
|
23 |
#include <vector> |
|
24 |
||
|
2173.2.1
by Monty Taylor
Fixes incorrect usage of include |
25 |
#include <drizzled/plugin/authorization.h> |
26 |
#include <drizzled/identifier.h> |
|
27 |
#include <drizzled/error.h> |
|
28 |
#include <drizzled/session.h> |
|
29 |
#include <drizzled/gettext.h> |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
30 |
|
31 |
namespace drizzled |
|
32 |
{
|
|
33 |
||
|
1966.2.6
by Brian Aker
This is from the catalog patch (I'm pushing it up as its own little thing |
34 |
std::vector<plugin::Authorization *> authorization_plugins; |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
35 |
|
36 |
||
37 |
bool plugin::Authorization::addPlugin(plugin::Authorization *auth) |
|
38 |
{
|
|
39 |
if (auth != NULL) |
|
40 |
authorization_plugins.push_back(auth); |
|
|
1966.2.13
by Brian Aker
Fix for solaris find for std::find. |
41 |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
42 |
return false; |
43 |
}
|
|
44 |
||
45 |
void plugin::Authorization::removePlugin(plugin::Authorization *auth) |
|
46 |
{
|
|
47 |
if (auth != NULL) |
|
48 |
{
|
|
|
1966.2.13
by Brian Aker
Fix for solaris find for std::find. |
49 |
authorization_plugins.erase(std::find(authorization_plugins.begin(), |
50 |
authorization_plugins.end(), |
|
51 |
auth)); |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
52 |
}
|
53 |
}
|
|
54 |
||
55 |
namespace
|
|
56 |
{
|
|
57 |
||
58 |
class RestrictDbFunctor : |
|
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
59 |
public std::unary_function<plugin::Authorization *, bool> |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
60 |
{
|
|
2008.1.1
by Brian Aker
Adding user identifier that makes use of a shared ptr to handle concurrency |
61 |
const identifier::User &user_ctx; |
|
2246.4.9
by Olaf van der Spek
Remove const_reference and reference from identifier::Schema |
62 |
const identifier::Schema& schema; |
|
1992.4.1
by Brian Aker
Update code for testing identifiers/table/schema name correctness. |
63 |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
64 |
public: |
|
2008.1.1
by Brian Aker
Adding user identifier that makes use of a shared ptr to handle concurrency |
65 |
RestrictDbFunctor(const identifier::User &user_ctx_arg, |
|
2246.4.9
by Olaf van der Spek
Remove const_reference and reference from identifier::Schema |
66 |
const identifier::Schema& schema_arg) : |
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
67 |
std::unary_function<plugin::Authorization *, bool>(), |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
68 |
user_ctx(user_ctx_arg), |
69 |
schema(schema_arg) |
|
70 |
{ } |
|
71 |
||
72 |
inline result_type operator()(argument_type auth) |
|
73 |
{
|
|
74 |
return auth->restrictSchema(user_ctx, schema); |
|
75 |
}
|
|
76 |
};
|
|
77 |
||
78 |
class RestrictTableFunctor : |
|
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
79 |
public std::unary_function<plugin::Authorization *, bool> |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
80 |
{
|
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
81 |
const identifier::User& user_ctx; |
|
2246.4.10
by Olaf van der Spek
Remove const_reference and reference from identifier::Table |
82 |
const identifier::Table& table; |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
83 |
public: |
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
84 |
RestrictTableFunctor(const identifier::User& user_ctx_arg, |
|
2246.4.10
by Olaf van der Spek
Remove const_reference and reference from identifier::Table |
85 |
const identifier::Table& table_arg) : |
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
86 |
std::unary_function<plugin::Authorization *, bool>(), |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
87 |
user_ctx(user_ctx_arg), |
88 |
table(table_arg) |
|
89 |
{ } |
|
90 |
||
91 |
inline result_type operator()(argument_type auth) |
|
92 |
{
|
|
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
93 |
return auth->restrictTable(user_ctx, table); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
94 |
}
|
95 |
};
|
|
96 |
||
97 |
class RestrictProcessFunctor : |
|
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
98 |
public std::unary_function<plugin::Authorization *, bool> |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
99 |
{
|
|
2008.1.1
by Brian Aker
Adding user identifier that makes use of a shared ptr to handle concurrency |
100 |
const identifier::User &user_ctx; |
101 |
const identifier::User &session_ctx; |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
102 |
public: |
|
2008.1.1
by Brian Aker
Adding user identifier that makes use of a shared ptr to handle concurrency |
103 |
RestrictProcessFunctor(const identifier::User &user_ctx_arg, |
104 |
const identifier::User &session_ctx_arg) : |
|
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
105 |
std::unary_function<plugin::Authorization *, bool>(), |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
106 |
user_ctx(user_ctx_arg), |
107 |
session_ctx(session_ctx_arg) |
|
108 |
{ } |
|
109 |
||
110 |
inline result_type operator()(argument_type auth) |
|
111 |
{
|
|
112 |
return auth->restrictProcess(user_ctx, session_ctx); |
|
113 |
}
|
|
114 |
};
|
|
115 |
||
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
116 |
class PruneSchemaFunctor : |
|
2087.4.1
by Brian Aker
Merge in schema identifier. |
117 |
public std::unary_function<identifier::Schema&, bool> |
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
118 |
{
|
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
119 |
const drizzled::identifier::User& user_ctx; |
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
120 |
public: |
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
121 |
PruneSchemaFunctor(const drizzled::identifier::User& user_ctx_arg) : |
|
2087.4.1
by Brian Aker
Merge in schema identifier. |
122 |
std::unary_function<identifier::Schema&, bool>(), |
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
123 |
user_ctx(user_ctx_arg) |
124 |
{ } |
|
125 |
||
126 |
inline result_type operator()(argument_type auth) |
|
127 |
{
|
|
128 |
return not plugin::Authorization::isAuthorized(user_ctx, auth, false); |
|
129 |
}
|
|
130 |
};
|
|
131 |
||
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
132 |
} /* namespace */ |
133 |
||
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
134 |
bool plugin::Authorization::isAuthorized(const identifier::User& user_ctx, |
|
2246.4.9
by Olaf van der Spek
Remove const_reference and reference from identifier::Schema |
135 |
const identifier::Schema& schema_identifier, |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
136 |
bool send_error) |
137 |
{
|
|
138 |
/* If we never loaded any authorization plugins, just return true */
|
|
|
1317.3.1
by Monty Taylor
Replaced calls of size()==0 with empty(). |
139 |
if (authorization_plugins.empty()) |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
140 |
return true; |
141 |
||
142 |
/* Use find_if instead of foreach so that we can collect return codes */
|
|
|
1966.2.6
by Brian Aker
This is from the catalog patch (I'm pushing it up as its own little thing |
143 |
std::vector<plugin::Authorization *>::const_iterator iter= |
|
1966.2.9
by Brian Aker
Remove the use of "using std" from the plugin interface .cc files. |
144 |
std::find_if(authorization_plugins.begin(), |
145 |
authorization_plugins.end(), |
|
|
2159.2.7
by Brian Aker
Merge in shared ptr modification for auth (namely we don't take the hit for |
146 |
RestrictDbFunctor(user_ctx, schema_identifier)); |
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
147 |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
148 |
|
149 |
/*
|
|
150 |
* If iter is == end() here, that means that all of the plugins returned
|
|
151 |
* false, which means that that each of them believe the user is authorized
|
|
152 |
* to view the resource in question.
|
|
153 |
*/
|
|
154 |
if (iter != authorization_plugins.end()) |
|
155 |
{
|
|
156 |
if (send_error) |
|
157 |
{
|
|
|
2159.2.8
by Brian Aker
Merge in fixes for error messages with privs. |
158 |
error::access(user_ctx, schema_identifier); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
159 |
}
|
160 |
return false; |
|
161 |
}
|
|
162 |
return true; |
|
163 |
}
|
|
164 |
||
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
165 |
bool plugin::Authorization::isAuthorized(const drizzled::identifier::User& user_ctx, |
|
2246.4.10
by Olaf van der Spek
Remove const_reference and reference from identifier::Table |
166 |
const identifier::Table& table_identifier, |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
167 |
bool send_error) |
168 |
{
|
|
169 |
/* If we never loaded any authorization plugins, just return true */
|
|
|
1317.3.1
by Monty Taylor
Replaced calls of size()==0 with empty(). |
170 |
if (authorization_plugins.empty()) |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
171 |
return true; |
172 |
||
173 |
/* Use find_if instead of foreach so that we can collect return codes */
|
|
|
1966.2.6
by Brian Aker
This is from the catalog patch (I'm pushing it up as its own little thing |
174 |
std::vector<plugin::Authorization *>::const_iterator iter= |
|
1966.2.15
by Brian Aker
Did a grep for _if( |
175 |
std::find_if(authorization_plugins.begin(), |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
176 |
authorization_plugins.end(), |
|
2159.2.8
by Brian Aker
Merge in fixes for error messages with privs. |
177 |
RestrictTableFunctor(user_ctx, table_identifier)); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
178 |
|
179 |
/*
|
|
180 |
* If iter is == end() here, that means that all of the plugins returned
|
|
181 |
* false, which means that that each of them believe the user is authorized
|
|
182 |
* to view the resource in question.
|
|
183 |
*/
|
|
184 |
if (iter != authorization_plugins.end()) |
|
185 |
{
|
|
186 |
if (send_error) |
|
187 |
{
|
|
|
2159.2.8
by Brian Aker
Merge in fixes for error messages with privs. |
188 |
error::access(user_ctx, table_identifier); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
189 |
}
|
190 |
return false; |
|
191 |
}
|
|
192 |
return true; |
|
193 |
}
|
|
194 |
||
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
195 |
bool plugin::Authorization::isAuthorized(const drizzled::identifier::User& user_ctx, |
|
2246.4.12
by Olaf van der Spek
Remove const_reference and reference from Session |
196 |
const Session& session, |
|
2015.3.1
by Brian Aker
Encapsulate client call. Also remove the need to call current_session when |
197 |
bool send_error) |
198 |
{
|
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
199 |
/* If we never loaded any authorization plugins, just return true */
|
|
1317.3.1
by Monty Taylor
Replaced calls of size()==0 with empty(). |
200 |
if (authorization_plugins.empty()) |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
201 |
return true; |
|
2159.2.7
by Brian Aker
Merge in shared ptr modification for auth (namely we don't take the hit for |
202 |
|
203 |
// To make sure we hold the user structure we need to have a shred_ptr so
|
|
204 |
// that we increase the count on the object.
|
|
|
2252.1.8
by Olaf van der Spek
Common fwd |
205 |
drizzled::identifier::user::ptr session_ctx= session.user(); |
|
2159.2.7
by Brian Aker
Merge in shared ptr modification for auth (namely we don't take the hit for |
206 |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
207 |
|
208 |
/* Use find_if instead of foreach so that we can collect return codes */
|
|
|
1966.2.6
by Brian Aker
This is from the catalog patch (I'm pushing it up as its own little thing |
209 |
std::vector<plugin::Authorization *>::const_iterator iter= |
|
1966.2.15
by Brian Aker
Did a grep for _if( |
210 |
std::find_if(authorization_plugins.begin(), |
211 |
authorization_plugins.end(), |
|
|
2015.3.1
by Brian Aker
Encapsulate client call. Also remove the need to call current_session when |
212 |
RestrictProcessFunctor(user_ctx, *session_ctx)); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
213 |
|
214 |
/*
|
|
215 |
* If iter is == end() here, that means that all of the plugins returned
|
|
216 |
* false, which means that that each of them believe the user is authorized
|
|
217 |
* to view the resource in question.
|
|
218 |
*/
|
|
219 |
||
220 |
if (iter != authorization_plugins.end()) |
|
221 |
{
|
|
222 |
if (send_error) |
|
223 |
{
|
|
|
2159.2.7
by Brian Aker
Merge in shared ptr modification for auth (namely we don't take the hit for |
224 |
my_error(ER_KILL_DENIED_ERROR, MYF(0), session.thread_id); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
225 |
}
|
226 |
return false; |
|
227 |
}
|
|
|
2015.3.1
by Brian Aker
Encapsulate client call. Also remove the need to call current_session when |
228 |
|
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
229 |
return true; |
230 |
}
|
|
231 |
||
|
2246.4.11
by Olaf van der Spek
Remove const_reference and reference from identifier::User |
232 |
void plugin::Authorization::pruneSchemaNames(const drizzled::identifier::User& user_ctx, |
|
2252.1.9
by Olaf van der Spek
Common fwd |
233 |
identifier::schema::vector &set_of_schemas) |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
234 |
{
|
235 |
/* If we never loaded any authorization plugins, just return true */
|
|
|
1317.3.1
by Monty Taylor
Replaced calls of size()==0 with empty(). |
236 |
if (authorization_plugins.empty()) |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
237 |
return; |
238 |
||
|
1966.2.15
by Brian Aker
Did a grep for _if( |
239 |
set_of_schemas.erase(std::remove_if(set_of_schemas.begin(), |
240 |
set_of_schemas.end(), |
|
241 |
PruneSchemaFunctor(user_ctx)), |
|
|
1471.2.2
by Monty Taylor
Updated Authorization plugin interface to use new Schema|TableIdentifier |
242 |
set_of_schemas.end()); |
|
1317.1.5
by Monty Taylor
Added Authorization interface. |
243 |
}
|
244 |
||
245 |
} /* namespace drizzled */ |